Monday, May 28, 2018

Save the scare mongering about Fancy Bear, the scariest hacking power in the world, EternalBlue, was invented by US NSA, published on the internet in April 2017, and is now in toolbox of every hacker and nation state. Among those who've used the fruit of US oligarchy's negligence are Russia's Fancy Bear and Iran's Chafer-Wired, 3/7/18

EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifyingas attackers develop new, clever applications, or simply discover how easy it is to deploy….

Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reportscorroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol
that allows Windows machines to communicate with each other and other
devices for things like remote services and file and printer sharing.
Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

In the aftermath of WannaCry, Microsoft and others criticized the NSA forkeeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that theNSA used and continued to refine the
EternalBlue exploit for at least five years, and only warned Microsoft
when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers,
like the kernel backdoor known as DarkPulsar, which burrows deep into
the trusted core of a computer where it can often lurk undetected.

The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile,many attackers had already realized the exploit’s potential by then.

Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,”
says Jérôme Segura, lead malware intelligence analyst at the security
firm Malwarebytes. “There are definitely a lot of machines that are
exposed in some capacity.”

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,”
says Jake Williams, founder of the security firm Rendition Infosec, who
formerly worked at the NSA. “Particularly in air-gapped and industrial
networks, patching takes a lot of time and machines get missed.

There
are many XP and Server 2003 machines that were taken off of patching
programsbefore the patch for EternalBlue was backported to these
now-unsupported platforms.”

New examples of EternalBlue’s use in the wild still crop up frequently.
In February, more attackers leveraged EternalBlue to install
cryptocurrency-mining software on victim computers and servers, refining
the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”

And just last week, security researchers at Symantec published findings on the Iran-based hacking groupChafer, which has used EternalBlue as part of its expanded operations.
In the past year, Chafer has attacked targets around the Middle East,
focusing on transportation groups like airlines, aircraft services,
industry technology firms, and telecoms.

It will be years before enough computers are patched against EternalBlue that
hackers retire it from their arsenals. At least by now security experts
know to watch for it—and to appreciate the clever innovations hackers
come up with to use the exploit in more and more types of attacks.”